IETF Logo Mail Archive

Re: [TLS] BoringSSL's TLS test suite

Jim Schaad <ietf@augustcellars.com> Sun, 25 September 2016 23:30 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD29712B04D for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 16:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.217
X-Spam-Level:
X-Spam-Status: No, score=-4.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n_VMyr72CuAM for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 16:30:19 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6437112B047 for <tls@ietf.org>; Sun, 25 Sep 2016 16:30:19 -0700 (PDT)
Received: from hebrews (192.168.1.152) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 25 Sep 2016 16:43:28 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: henrick@streamsec.se, 'David Benjamin' <davidben@google.com>, tls@ietf.org
References: <CAF8qwaBQkVy+wcK1-NFctBepV7TW93YmmPnxS2WoJ6F6=v-aEg@mail.gmail.com> <c70c6db3-5d1c-d2db-1e37-f8849166786e@streamsec.se> <CAF8qwaAQYwW9s0E_V-TqHhTqL9sBhobzsGUch5TDQynK2VNfEw@mail.gmail.com> <227dcca5-6549-3b71-1ceb-23686df822bb@streamsec.se>
In-Reply-To: <227dcca5-6549-3b71-1ceb-23686df822bb@streamsec.se>
Date: Sun, 25 Sep 2016 16:29:59 -0700
Message-ID: <008801d21784$bd905380$38b0fa80$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQForOp3QPsKEoAPeD+Qw7kYxpy4lgJNgXjzAbgH+SACI3xQyaEsZjbA
X-Originating-IP: [192.168.1.152]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2FdFHtvADBdWrRqsY5JwuTSvxlo>
Subject: Re: [TLS] BoringSSL's TLS test suite
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 23:30:22 -0000


> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Henrick Hellström
> Sent: Sunday, September 25, 2016 2:35 PM
> To: David Benjamin <davidben@google.com>; tls@ietf.org
> Subject: Re: [TLS] BoringSSL's TLS test suite
> 
> On 2016-09-25 23:23, David Benjamin wrote:
> > Do you mean in RSA SubjectPublicKeyInfos? For those, such encodings
> > are not actually standards-compliant. Per RFC 3279, 2.3.1:
> >
> >    The rsaEncryption OID is intended to be used in the algorithm field
> >    of a value of type AlgorithmIdentifier.  The parameters field MUST
> >    have ASN.1 type NULL for this algorithm identifier.
> >
> > https://tools.ietf.org/html/rfc3279#section-2.3.1
> 
> Then again, the ASN.1 module in
> https://datatracker.ietf.org/doc/rfc5280/ says differently. Strictly
speaking, RFC
> 3279 does not override the PKIX specification when it comes to X.509
> certificates; only for formats such as RSA PUBLIC KEY that rely solely on
the
> ASN.1 module in RFC 3279.

The ASN.1 module in RFC 5280 does not say anything about if the field is
optional for any specific algorithm.  The ASN.1 for algorithm identifier is

AlgorithmIdentifier  ::=  SEQUENCE  {
        algorithm               OBJECT IDENTIFIER,
        parameters              ANY DEFINED BY algorithm OPTIONAL  

This very explicitly says that the value (and hence presence) of the
parameters fields is strictly defined by the algorithm identifier.  The
algorithm identifiers for RSA with the SHA2 algorithms explicitly say they
are required.


RFC 5912 shows that this is required with the way it defines the same
information

  sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= {
       IDENTIFIER sha256WithRSAEncryption
       PARAMS TYPE NULL ARE required
       HASHES { mda-sha256 }
       PUBLIC-KEYS { pk-rsa }
       SMIME-CAPS { IDENTIFIED BY sha256WithRSAEncryption }
   }

You can see that the parameters are required and not optional.

Jim


> 
> 
> > There are other contexts where (due to historical mistakes) specs
> > declared both are acceptable, but amazingly not RSA SPKIs. BoringSSL
> > has enforced it for quite some time now, so it seems this part of the
> > specification matches reality. If I recall, mozilla::pkix enforces
> > this as well?
> 
> Actually no, just tested Chrome v53 and Firefox v49 for the Windows
platform.
> Only Chrome fails when connecting to a server that presents a server
certificate
> with the NULL parameters omitted from the DER encoding.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email